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Abstract 

The paper presents two examples of non-traditional using of pro- 
gram specialization by Turchin's supercompilation method. In both 
cases we are interested in syntactical properties of residual pro- 
grams produced by supercompilation. In the first example we ap- 
ply supercompilation to a program encoding a word equation and 
as a result we obtain a program representing a graph describing 
the solution set of the word equation. The idea of the second exam- 
ple belongs to Alexandr V. Korlyukov. He considered an interpreter 
simulating the dynamic of the well known missionaries-cannibals 
puzzle. Supercompilation of the interpreter allows us to solve the 
puzzle. The interpreter may also be seen as an encoding of a non- 
deterministic protocol. 

Categories and Subject Descriptors F.3 [LOGICS AND MEAN- 
INGS OF PROGRAMS]: Specifying and Verifying and Reasoning 
about Programs 

General Terms Algorithms, experimentation, performance, veri- 
fication. 

Keywords program specialization, supercompilation, program 
analysis, program transformation, verification. 

1. Introduction 

One of the main concerns in the research in program specialization 
and other program transformation techniques is an efficiency of 
residual (or transformed) programs. It is widely known also that 
specialization of interpreters with respect to given programs can be 
used for effective changing of the semantics of the programs. For 
example, a number of researchers were interested in generation of 
efficient programs implementing inverse functions [19], [20], [26], 
[2]. Still efficiency of the resulting programs is the major issue. 
But there is something more in program transformation techniques. 
They can be used for analysis of the programs and more specifically 
for the verification [7], [9]. 

In this paper we take a step further and show that specialization 
can be used also not only for the analysis of the programs, but for 
the solution of combinatorial and algebraic problems encoded in 
the programs. We consider a number of examples illustrating use 



of a supercompiler (SCP4 [15], [17], [18]) for this purpose. We hope 
the examples will be able to motivate further research in automated 
program specialization. 

1.1 The Presentation Language 

We present our program examples in a variant of a pseudocode for 
functional programs while real supercompilation experiments with 
the programs were done in a strict functional programming REFAL 
language [27], [28]. 

The programs given below are written as strict term rewriting 
systems based on pattern matching. The sentences in the programs 
are ordered from the top to the bottom to be matched. To be 
more closely to REFAL we use two kinds of variables: .v. variables 
range over symbols (i.e. characters and identifiers, for example, 
'a' and True), while e. variables range over the whole set of the 
S-expressions. We also use a syntactical sugar for representation 
of words (finite sequences of characters), so, for example, the 
list 'b' : 'a' : [] is shortened as 'ba' and 'aba' :e.x denotes 
' a ' : ' b ' : ' a ' : e . x. <•,»,•> denotes a triple. 

2. Word Equations 

For a given alphabet E we denote as S* the set of finite words 
over S. Let X be a finite set of variables disjoint with S. A word 
expression is defined to be either an element of E, a variable, the 
empty word e or a finite sequence of word expressions. For given 
two word expressions L and R, an equation of the form L = R is 
called as a word equation. 

A solution of a word equation is any substitution of unknowns 
in the word equation by words that turns the equation L = R in 
literal equality. 

A classical problem is to describe the set of all solutions of a 
given word equation. In a sense the equations itself describes the 
set. We are interested in a more constructive (transparent) descrip- 
tion of the set. Important contribution in resolving the problem was 
made in the late 1960's by Yu.I. Khmelevskii [6]. In 1970's G.S. 
Makanin [14] suggested an algorithm deciding whether there ex- 
ists a solution of any given word equation or not. There exists an 
algorithm based on the Makanin's ideas, which for a given word 
equation generates a finite graph describing the corresponding so- 
lution set. 

An example given below demonstrates both the statement above 
(i.e., a solution exists) and the fact that supercompilation is able 
to generate the same graph as the Makanin's algorithm does for 
this example word equation. In this example the graph is a finite 
automaton. 

main(e.xs) = equal Cab' ++ e.xs, e.xs ++ 'ba'); 
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e . xs ::= ' a ' : ' b ' : e . xs 




Figure 1. Graph describing the solution set of the word equation. 

equal ( [] , [] ) = True; 
equal (e.xs, e.ys) = False; 

The function equal is a predicate checking whether two given 
words are equal. The function main is a predicate testing whether 
a given word is a solution of the following word equation: 

'ab' ++ e.xs = e.xs ++ 'ba' 

We may specialize the program with respect the partial knowl- 
edge of the arguments of the call for the function equal. The resid- 
ual program produced by the supercompiler SCP4 looks as follows: 

main( 'a':'b':e.xs ) = main( e.xs ); 
main( 'a':[] ) = True; 
main( e.xs ) = False; 

This residual program P (as any program!) can be seen as a 
graph. Vertices of the graph correspond to the program function 
calls and the return expressions. Its edges are labeled with the case 
expressions or assignments. This graph describes the solution set 
of the word equation being considered. The edge corresponding to 
the last sentence of the P is redundant for such description. This 
sentence will be absent, if we will remove the last sentence of the 
original function equal. After that the obtained graph coincides 
with the graph generated by the Makanin's algorithm (see, for 
example, [1]). See Figure 1 for the graph. The solution set is 
('ab')*'a'. 

Supercompilation of the following task (by the supercompiler 
SCP4) 

main(e.xs) = equal( ' ab'++e . xs++ ' a' ,e . xs++'ba' ) ; 

yields the residual program: 

main(e.xs) = False; 

The graph encoded by the residual program consists the root 
and a leaf labeled with False. The only edge outcoming from the 
root incomes in the leaf. That means the word equation 

'ab' ++ e.xs ++ 'a' = e.xs ++ 'ba' 

has no solutions. 

Resume is as follows. A result of specialization may be inter- 
esting not only because of effective performance of the residual 
program as compared to a source program. The syntactical struc- 
ture of the result may serve as a solution to the problem encoded 
in the source program. It is certainly, that for arbitrary word equa- 
tion the supercompiler SCP4, in general, is not able to reproduce 
the same graph as the Makanin's algorithm does. Weakness of the 
supercompiler as well as supercompilation method per se does not 
allow to achieve such a result. In our opinion, the ideas basing the 
Makanin's algorithm may be borrowed for further development of 
the supercompilation method. 

3. Supercompilation of an Absurd Program (a 
Korlyukov's Example) 

The idea of the example given in this section belongs to A.V. 
Korlyukov. A part of comments to the example belongs to A.V. 
Korlyukov as well, while another part given by the authors of this 
paper. 

Unfortunately, passed away prematurely A.V. Korlyukov pub- 
lished the idea only in Russian Internet pages [5], [4]. 



Following after V.F Turchin let us consider the well-known 
problem "Missionaries and Cannibals" [27]. 

Three missionaries and three cannibals come to the bank of 
a river and see a boat. They want to cross the river. The boat, 
however, can carry no more than two people. There is a further 
restriction. At no time should the number of cannibals on either 
bank of the river (including the moored boat) exceed the number of 
missionaries (because the missionaries would then be overpowered 
and eaten). How (if at all) is it possible to cross the river? 

Now we generalize the problem. Given n missionaries and 
k cannibals is it possible to cross the river and to save all the 
missionaries? If the answer is true, then we are interested in the 
algorithm carrying the strange crowd. 

We intent investigate the problem in details. We will use the 
supercompiler SCP4 as a "calculator" in an interactive mode (as 
usually any calculator being used). 

We consider an interpreter of the dynamic system moving the 
crowd from the left bank to the right. The interpreter is given 
in Figure 2. It takes (as an input) the pair of the numbers n, k 
describing the initial crowd on the left bank and a finite sequence 
of the boat states (we call such a sequence as a path). It returns 
information: does a prefix of the path bring the crowd to the right 
bank (i.e., True or False)? Additionally, if the answer is True, 
then it returns the rest of the path, which did not take a part in 
moving the crowd; if the answer is False, then it returns the part 
of the crowd brought to the right bank. 

There are a number of tricks in the encoding. We encode the 
pair of the numbers n, k as a triple of nonnegative integers m, p, c 
such that 

ra = max{n — k, 0}, c = max{fc — n, 0}, n = ra + p, k — c + p 

and we use unary notation to represent the integers. For exam- 
ple, five missionaries and three cannibals will be represented as 
[['mm'] , ['ppp'] , []], while two missionaries and three canni- 
bals will be represented as [ [] , [ ' pp ' ] , [ ' c ' ] ] . A state of a given 
bank is encoded with such a triple. A state of the boat is encoded 
as one identifier, the name of which consists from the first capital 
letters of its passengers. For instance, MM means the state with two 
missionaries on the boat, while C is the state with one cannibal. The 
function Move has four arguments: the first one is a state of the boat, 
the second is an active bank (L or R), e . 1 and e . r are variables 
taking (as their values) the states of the left and right banks cor- 
respondingly. The Move modifies the banks' states and returns the 
new active bank and the two modified states. The functions Minus 
and Plus define unary arithmetic according to our encoding. The 
function Int iterates the crossing process. Here we skip over the 
functions CutFalse , BlockRepetition and will consider them 
later. As an example we give the following call for the interpreter 
and its result. 

mainlnt ( 

[[] , ['ppp'] , []] , [CC,C,CC,C,MM,MC,MM,C,CC,M,MC,MC] 

) 

= [True , [MC] ] 

We would like to note that the program looks very absurd. 
Actually it is unthinkable to execute it at all. It is in need the 
whole history of its computations as the second argument to start 
transformations of the first argument (though, such a program is a 
kind of a predicate). But we are not going to execute the program, 
we will supercompile it. And we will show that does matter. 

First of all, let us formulate the problem in the program terms. 
For the following parameterized call mainlnt (e . lo , e.path) 
and a given state e . lo on the left bank we are interested in an 
answer to the question: does a path e.patho exist such that the 
(a part of) result of the call is True? 
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We will answer on the given question interactively using the 
supercompiler SCP4 and analyzing the residual programs produced 
by the supercompiler. By the precondition of the problem we can 
narrow the initial left state's set 

e.left = [[e.m] , [e.p] , [e.c]] 

to one of the following two forms 

[[e.m],[e.p],[]] and [[],[], [e . c] ] 

otherwise the missionaries will immediately be eaten. Thus we 
have the two tasks: 

mainlnt([[e.m] , [e.p] , []] , e.path) 

and 

mainlnt ([[],[], [e . c] ] , e . path) 

to be solved. 

With the goal to make the residual programs more compact 
(so easier analyzable) we add an additional trick. Among all the 
paths, moving the boat from one bank to the other, there exist 
meaningless. The simplest from them contains at least two identical 
states staying side by side in the path: such two states mean the 
boat has just moved passengers to a bank immediately moves the 
same kind of passengers back to the other bank. If there exists 
such a path successfully moving the crowd to the right bank, then 
there exits a shorter successful path, where the conjugated states are 
removed. This note allows us to exclude the indicated kind of the 
paths (henceforth everywhere in this paper). We do that by calling 
the function BlockRepetition with an argument which never 
matches the function definition. So the call leads to an abnormal 
stop at run time and to cutting the corresponding branch of the 
program at supercompile time. The first argument s . pa of the 
function Int serves to recognize two identical states staying side 
by side in a given path. 

Whenever we hope on the positive answer to the problem ques- 
tion we will replace the following sentence of the program to be 
supercompiled 

Int( s.pa, s.d, e.l, e.r, [] ) = False : e.r; 
with the sentence 

Int( s.pa, s.d, e.l, e.r, [] ) = CutFalse( [] ) ; 

Once again we do that for the sake of simplicity of the corre- 
sponding residual programs. The call CutFalse ( [] ) like the call 
for the function BlockRepetition cuts the branch leading to the 
negative answer. 

3.1 Diagonal Cases 

We start with the case when the number of the missionaries equals 
to the number of the cannibals. That is to say, we have to super- 
compile the following start configuration: 

mainlnt ([[], [e.p] ,[]] , e.path) 

Our first experiment is for two missionaries and two cannibals. 

EXAMPLE 1 . The start configuration: 

mainlnt ([[], ['pp '],[]] , e.path) 

The program contains the sentence with the call CutFalse( [] ). 
Supercompilation produces the following residual program: 

mainlnt '( [s .x , e.path]) = True : [f (s . x, e .path)] ; 

f(CC, [C, MM, M.MC, e.path]) = e.path; 
f(CC, [C, MM, C.CC, e.path]) = e.path; 
f(CC, [C,M,MC,s.x, e.path] ) =f(s.x, e.path); 



mainlnt(e.l, [s.a, e.path]) = 

Int(s.a, Move (s. a, L, e.l, [[],[],[]]) .e.path) ; 

/* The boat on the left bank. */ 
Move( s.a, L, e.l, e.r ) 

= <R, Mimis(s.a, e.l), Plus(s.a, e.r)>; 
/* The boat on the right bank. */ 
Move( s.a, R, e.l, e.r ) 

= <L, Minus(s.a, e.l), Plus(s.a, e.r)>; 

Int( s.pa, R, [[],[],[]], e.r, e.path ) 

= True : e.path; 
Int( s.pa, s.d, e.l, e.r, [] ) = False : e.r; 
Int( s.pa, s.d, e.l, e.r, [] ) = CutFalse ([]) ; 
Int( s.pa, s.d, e.l, e.r, [s .pa, e .path] ) 

= BlockRepetition( [] ) ; 
Int( s.pa, s.d, e.l, e.r, [s.x, e.path] ) = 

Int(s.x, Move(s.x, s.l, e.l, e.r), e.path); 

CutFalse ( Deadlock ) = [] ; 
BlockRepetition ( Deadlock ) = [] ; 

Minus (MM, [['mm',e.m],e.p,[]]) = [e.m.e.p, []] ; 
Minus (MM , [ [] , [ 'pp'] , [] ] ) = [[],[],[' cc ']] ; 
Minus (MM , [ [ >m> ] , [>p>] , [] ] ) = [[],[],[> c >]] ; 
Minus(CC, [[],[], ['cc', e.c]]) = [[],[], e.c]; 
Minus(CC, [e.m, ['pp' ,e.p] , []]) 

= [['mm' ,e.m] ,e.p, []] ; 
Minus(MC, [e.m, ['p' ,e.p] , []] ) = [e.m.e.p, []] ; 
Minus(M, [[] , ['p'] , []]) = [[],[], ['c']]; 
Minus(M, [ ['m' , e .m] , e .p, [] ] ) = [e.m.e .p, []] ; 
Minus(C, [[],[],['<:', e.c]]) = [[],[], e.c]; 
Minus (C, [e.m, ['p' ,e.p] , []]) = [['m',e.m],e.p,[]]; 

Plus(MM, [[],[], ['cc']]) = [[] , ['mmcc'] , []] ; 
Plus(MM, [[],[], ['c']]) = [['m'] , ['mc'] , []] ; 
Plus(MM, [e.m.e.p, []] ) = [['mm', e.m], e.p, [] ] ; 
Plus(CC, [['mm' ,e.m] ,e.p, []]) 

= [e.m, ['pp' ,e.p] , [] ] ; 
Plus(CC, [[],[], e.c]) = [[],[], ['cc' , e.c]] ; 
Plus(MC, [e.m.e.p, []]) = [e.m, ['p' ,e.p] , []] ; 
Plus(M, [[],[], ['c']]) = [[],['p'],[]]; 
Plus(M, [e .m, e .p, [] ] ) = [ ['m' , e .m] ,e .p, [] ] ; 
Plus(C, [['m' ,e.m] ,e.p, []] ) = [e.m, ['p' ,e.p] , []] ; 
PlusCC, [[],[], e.c]) = [[],[],['c',e.c]]; 



Figure 2. The interpreter. 



f(MC, [M, MM, M,MC, e.path] ) = e.path; 
f(MC, [M, MM, C,CC, e.path]) = e.path; 
f(MC, [M,C,CC, s.x, e.path]) = f(s.x, e.path); 

The exits from the recursion show the length of the shortest path 
moving the crowd to the right bank is 5. There exist four such paths: 

[CC, C, MM, M, MC] 

[CC, C, MM, C, CC] 

[MC, M, MM, M, MC] 

[MC, M, MM, C, CC] 

Moreover, the residual program specifies the whole set of the 
successful paths. 

We leave to the reader to analyze the residual programs for one 
missionary and one cannibal (Example 2) and for three missionar- 
ies and three cannibals (Example 3). The source programs contain 
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the sentence with the call CutFalse ( [] ) . The answers to the ques- 
tion are positive in both cases. 

Example 2. 

mainlnt ' ( [MC , e . path] ) = True : [e . path] ; 

Example 3. 

mainlnt '( [s . x , e.path]) = True : [f (s . x, e .path)] ; 

f (CC, [C,CC,C,MM,MC ,MM,C,CC ,M,MC , e .path] ) = e.path; 
f (CC, [C.CC.C, MM, MC, MM, C,CC,C,CC, e.path]) = e.path; 
f (CC, [C,M,MC,s. x, e.path] ) =f(s.x, e.path); 
f (MC, [M.CC.C, MM, MC, MM, C,CC,M,MC, e.path]) = e.path; 
f (MC, [M.CC.C, MM, MC, MM, C,CC,C,CC, e.path]) = e.path; 
f (MC, [M,C,CC,s. x, e.path] ) = f(s.x, e.path); 

The following experiment is for an equal number of missionar- 
ies and cannibals, and the number is greater than three. 

EXAMPLE 4. The start configuration: 

mainlnt ([[], ['pppp' , e.p],[]], e.path) 

The residual program for the source program containing the sen- 
tence with False is given in the attachment A. The residual pro- 
gram never returns True and that is a syntactical property of the 
program. On the other hand, the source program terminates for 
any given arguments. That allows us to conclude that there exist no 
paths moving the crowd to the right bank. 

Note that if we supercompile the source program containing the 
sentence with the call CutFalse(O), then the residual program 
is empty. In other words, it is a trivial program with the empty 
domain and this property also is syntactical rather than semantic. 
We might infer the negative answer to the problem question from 
the emptiness of the residual program. 

Thus we have considered all the diagonal cases. If the number 
of both missionaries and cannibals is greater than three, then there 
exist no paths moving the crowd to the right bank, otherwise such 
a path exists. 

3.2 The Number of Missionaries is Greater Than the 
Number of Cannibals 

Now we consider the case when the number of the missionaries 
greater than the number of the cannibals. The corresponding start 
configuration is: 

mainlnt ([['m',e.m],[e.p],[]], e. path) 

In all our experiments concerning to this case the source pro- 
grams contain the sentence with the call CutFalse ( [] ) . 

EXAMPLE 5. The start configuration is 

mainlnt ([I'm' , e.m] , [e.p] , []] , e.path) 

The supercompiler SCP4 produces quite a large residual program. 
The program may be found in [13]. Unfortunately we have to an- 
alyze the residual program, because the numbers of both mission- 
aries and cannibals are not given in advance, and for each such a 
pair may exists a needed path and such paths may have (and do 
have) very different structures. Moreover, the method used in the 
first example cannot be applied here, because it is unknown in ad- 
vance to which pair of the numbers a given exit from the recursion 
corresponds, and maybe for a pair there exist no exits from the re- 
cursion at all (i.e., all paths starting with a given pair lead to an 
abnormal stop (a deadlock) of the program). 

On the other hand, such a large residual program may be an 
indirect evidence of the fact that the set of the successful paths is 



too large. Assiming that we may try to narrow the paths' set, where 
we are looking for the successful path's witnesses. With such an 
aim we restrict the boat states as follows. 

EXAMPLE 6. The boat crossing the river in the direction to the 
right bank may have only three states MM, MC, MC, while it cross- 
ing the river in the opposite direction may have only two states M, 
C. The idea is to increase stepwise the number of the people on 
the right bank and in such a way to approach to resolution of the 
task. We do that by changing the original function Move with the 
following: 

I* The boat on the left bank. */ 
Move( MM, L, e.l, e.r ) 

= <R, Minus (MM , e.l), Plus(MM, e.r)>; 
Move( MC, L, e.l, e.r ) 

= <R, Minus(MC, e.l), Plus(MC, e.r)>; 
Move( CC, L, e.l, e.r ) 

= <R, Minus(CC, e.l), Plus(CC, e.r)>; 

/* The boat on the right bank. */ 
Move( M, R, e.l, e.r ) 

= <L, Minus(M, e.l), Plus(M, e.r)>; 
Move( C, R, e.l, e.r ) 

= <L, Minus (C, e.l), Plus(C, e.r)>; 

This function filters out the forbidden states of the boat: they 
never match with the sentences of the redefined function Move and 
they lead to an abnormal stop ( recognition impossible, deadlock.). 

Now, supercompiling the start configuration 

mainlnt ([[' m'] , [ 'pp'],[]], e.path) 
we obtain the following residual program. 
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= True 


: [e.path] ; 
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= True 


: [e . path] ; 


mainlnt 
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= True 


: [e . path] ; 


mainlnt 
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= True 


: [e . path] ; 


mainlnt 


([CC, 


c, 


MM, 


M, 


MC, 


c, 


MC, e 


path] ) 



= True : [e . path] ; 

Analyzing this result program we see that if the boat is on the 
left bank, then the path [MC, C, MC, M] adds a pair ( missionary- 
cannibal) on the right bank, provided that on the left bank the num- 
ber of the missionaries greater than the number of the cannibals. 
That means a repeated iteration of such a path leads to success. 
The path [MC, C,MC] (a prefix of the considered above) decides the 
problem with two missionaries and one cannibal. 

Note that such a narrowing of the possible paths might be 
unsuccessful for other start configurations. For example, in the case 
of the start configuration 

mainlnt ([[], ['ppp '],[]] , e.path) 

there exists no successful path from the narrowed set, while we have 
found a successful path in the whole paths' set (see Example 3). 
Nevertheless supercompilation of the start configuration 
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mainlnt ( [[ 'm'] , ['pp '] , []] , e.path) 

with the original definition of the function Move produces a residual 
program P (see the attachment [13]), which is more complicated 
than the residual program above, but the key information of the 
path [MC, C,MC,M] still may be retrieved from the P (but applying 
more efforts). 

The other cases (when in the start configurations the number of 
the cannibals is greater than the number of the missionaries, no can- 
nibals, no missionaries) are trivial. The following table summarizes 
our investigation. It gives a left upper angle of the result matrix. The 
empty cells correspond to the False answer. 
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4. Conclusion 

What did happen in the experiments described above? Program spe- 
cialization (supercompilation) originally developed as an optimiza- 
tion method was used for studying some syntactical properties of 
the residual programs rather than for executing the programs. In a 
sense we used the supercompiler SCP4 as a tool helping to solve 
the mathematical tasks. We used the tool in an interactive fashion. 
In such a way we use any calculator. 

In the section 2 we were interested in the graph encoded within 
the residual program. The graph describes the solution set of a word 
equation. 

Using the supercompiler SCP4 to solve the missionaries-can- 
nibals problem was more complicated. In this case, using a rough 
analogy, the supercompiler was exploited as a kind of a "PRO- 
LOG interpreter". We were interested in narrowing a parame- 
ter of the start configurations (the goals to be supercompiled) 
(mainlnt ( [ [e . m] , [e . p] , [e . c] ] , e . path) ). The narrowed 
parameter e . path (its substitution set) has to satisfy a property 
imposed by the source program (actually a kind of a predicate). 
Unlike PROLOG, when the substitution set cannot be described as 
a finite union of parameterized lists (S-expressions), the supercom- 
piler produces a finite residual program describing the substitution 
set more explicitly (transparently) as to compared with the source 
program. (The same note is valid for the word equation example.) 
The function calls CutFalse ( [] ) , BlockRepetition( [] )are 
analogues of the CUT mechanism in PROLOG. 

The function mainlnt (e . 1, e .path) can be seen as an in- 
terpreter transforming data e.lo according to a given program 
e.patho. In such a case our experiments can be seen as special- 
ization of the interpreter with respect to partial information of the 
data. The authors used such specialization of interpreters for ver- 
ification of safety properties of nondeterministic cache coherence 
protocols [8], [9], [10], [11]. The dynamic system "missionaries- 
cannibals" also may be considered as a nondeterministic protocol, 
where the boat states are actions controlling the global state of the 
computing system. The actions are being chosen in a nondetermin- 
istic way governed by a number of guides. The examples above of 
the start crowd configurations, for which we proved the negative 
answer on the question given in the problem, are the conditions 
on the start protocol configurations satisfying the safety property 



defined by the positive answer on the question. That is to say, the 
computer system starting with such a configuration never reaches 
the global state, when the whole crowd is on the right bank. Our 
treatment of the start configurations corresponding to the positive 
answer is a search for a witness violating the safety property. Act- 
ing in a similar way we have found bugs in a number of cache 
coherence protocols (see [12], [11]). 

Finally we would like to note that actually all our experiments 
were done in a strict functional programming language REFAL 
[27], [28], using the supercompiler SCP4 under the following strat- 
egy: 

$ MATCHING ForRepeatedSpecialization; 
$STRATEGY Applicative; 

A. The Residual Program Obtained in Example 4 

mainlnt ' (e .p, [s.x : e.path]) 

= False : [ [] ,f (s .x ,e .path.e .p)] ; 

f (CC, [] , e.p) = <[] , [>cc']> ; 
f (CC, [C] , e.p ) = <[] , [>c']> ; 
f(CC, [C, CC] , e.p) = <[],['ccc']> ; 
f(CC, [C, CC, C], e.p) = <[],['cc']> ; 
f(CC, [C, CC, C, MM], e.p) = <['pp'],[]> ; 
f(CC, [C, CC, C, MM ,MC], e.p) = <['p'],[]> ; 
f(CC, [C, CC, C, CC, e.path], e.p) 

= <[], ['ccc', g(e.p, [] , e.path)]>; 
f (CC, [C, M] , e.p) = <[>p>] . □> J 
f (CC, [C, M, MC] , e.p) =<[],[]> ; 
f(CC, [C, M, MC, s.x, e.path], e.p) 

= f (s.x, e.path, e.p) ; 
f (MC, [] , e.p) = <['p'] , []> ; 
f (MC, [M] , e.p) = <[] , ['c']> ; 
f(MC, [M, CC] , e.p) = <[], [>ccc>]> ; 
f(MC, [M, CC, C] , e.p) = <[], ['cc']> ; 
f(MC, [M, CC, C, MM], e.p) = <['pp'], [] > ; 
f(MC, [M, CC, C, MM, MC] , e.p) = <['p'], □ > ; 
f(MC, [M, CC, C, CC, e.path], e.p) 

= <[], ['ccc', g(e.p, [] , e.path)]>; 
f (MC, [M, C] , e.p) = <[] , ['cc']> ; 
f(MC, [M, C, CC], e.p) = <[], []> ; 
f(MC, [M, C, CC, s.x, e.path], e.p) 

= f (s.x, e.path, e.p) ; 
f (C, [] , e.p) = <[] , ['c>]> ; 



g(e.p, e.c, [] ) = 'c':e.c; 
g(e.p, e.c, C) = e.c; 
g('p':e.p, e.c, [C, CC, e.path]) 

= g(e.p, 'c':e.c, e.path); 
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